[Samba] Winbindd chokes on W2K users in only one group

Gerald (Jerry) Carter jerry at samba.org
Wed Aug 17 13:35:45 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ed Plese wrote:

> Another symptom of this behavior is that executing "wbinfo 
> -r <user>" with a user that is only a member of a single
> group (the primary group of the user) results in the error
> "Could not get groups for user <user>".  On any user in multiple
> groups, this command completes successfully, showing every
> group the user is a member of, including the user' primary group.
> 
....
> Looking over the code, it appears that the cause of the 
> problem is in the lookup_usergroups_alt function in
> winbindd_ads.c.  This function only gets called when the
> 'tokenGroups' attribute of the AD user object
> does not contain any groups.  According to the comments in 
> this file, instances where 'tokenGroups' does not contain any
> groups indicates a "buggy Win2k server".  The Active Directory
> domain controllers are running Windows 2000 SP4 with Active
> Directory in mixed mode  and every user object that I checked
> has an empty 'tokenGroups' attribute.
> 
...
> In the lookup_usergroups_alt function, for cases where the 
> user is not a member of any other groups other than
> the primary group, the query for any groups with the user
> as a member returns zero results.  Instead of returning just
> the primary group, lookup_usergroups_alt instead returns no
> groups.  Correcting the logic can easily be done by returning
> the primary group for this case.
> 
> Patches for 3.0.14a and SAMBA_3_0 branch included.

Ed,

This has got to be a model of the perfect bug report :-)
Really good work.  You have a reproducible test case I can use,
an analysis of what the problem is, and a patch.  Kudos to you.
This will be included in 3.0.20.  I've already run through
a series of tests and the patch looks good.

> Is there something uncommon about the above attributes in 
> AD?  Do these attributes vary with the different AD versions?

I'm looking into the history of this.  My guess is that it
may have been an initial windows 2000 bug that we were
working around.




cheers, jerry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDAz0xIR7qMdg1EfYRArNYAJsGgvrxg6AoU37SVEYNCAvV7mApcQCeM28j
fwSvHOHYW3jcw5b1eRw37UA=
=3Pl5
-----END PGP SIGNATURE-----

More information about the samba mailing list